Troubleshooting WSS 3.0 Search Service

I recently installed WSS 3.0 using server farm mode: with SQL Server 2005 Express preinstalled. I created a site collection on a new Web Application, setting up the search service, and when I clicked on the search button, I got the following error message on the result page:

“The search request was unable to connect to the Search Service”

Another click on the search button, I got the following error message:

“Your search cannot be completed because of a service error”

A peek on the Application Event Log shows the following logs description:

“Query machine ‘SERVERNAME’ has been taken out of rotation due to this error: Access is denied.”
“Retry of query machine ‘SERVERNAME’ has failed with error: Access is denied.”

After googling around I found some suggestion to use Administrator account for the Sharepoint Application Pool (which turns out workable!), but somehow I think is not a proper setting. A further studies on the Internet suggest me to do the following:

  1. Create 2 new domain accounts under WSS_WPG, I called it Wssreader and Wsspooler.
  2. Change Application Pool to run under Wsspooler. (Central Administration > Operations > Service Accounts)
  3. Change Web Application’s IIS Authentication Settings to use NTLM, if you are using Kerboros previously. (Central Administration > Application Management > Authentication Providers > Select Web Application > Default Zone)
  4. Reconfigure WSS Search Service and Content Crawler to run under Wssreader, I recommend stop the service, drop the previous search database, and start the service again to let WSS auto-configure the SQL Permission for Wssreader. (Central Administration > Operations > Services on Server > WSSSS)
  5. Finally reconfigure content database for search service. (Central Administration > Application Management > Content Databases > Search Server)

If things still doesn’t work out, you can always relies on Application Event Log to help you make necessary troubleshooting. Most commonly is your Application Pool account do not have sufficient permission to access, execute and select into your content database. Just fire up your SQL Management Studio and start making changes to the security schema of your content database. However, I am suspecting Kerboros Authentication do not work well with the search service configured under farm setting (or probably SQL Server Express). Good Luck!